首页 发现 帮助
登录
masif
/
quran
1
0
派生 0
文件 工单管理 0 合并请求 0 Wiki
分支: master
分支列表 标签列表
quran
/
configs
/
SecurityHeaders.js

SecurityHeaders.js 4.1 KB
永久链接 文件历史 原始文件

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051 
  1. /*
    2. 

  2.   - default-src: a fallback for all other directives.
    3. 

  3.     - 'self': Refers to the origin from which the protected document is being served, including the same URL scheme and port number.
    4. 

  4.   - script-src: specifies the valid sources of JS running either inside <script> elements or inline script event handlers (onclick). 
    5. 

  5.     - 'unsafe-inline' allows the use of inline resources. 
    6. 

  6.     - 'unsafe-eval' is needed otherwise custom JS variables by google analytics will yield to undefined.
    7. 

  7.   - img-src: specifies valid sources of images and favicons. We allow all sources. besides inline images using :data.
    8. 

  8.     - data: Allows data: URIs to be used as a content source. Currently we use data to embed some images inline e.g. the App Store images in the Side Menu Drawer.
    9. 

  9.   - media-src: specifies valid sources for loading media using the <audio> and <video> elements. Currently we only allow audio from quranicaudio.com.
    10. 

  10.   - connect-src: restricts the URLs that we can connect to using script interfaces including <a>, XMLHttpRequest, WebSocket. Currently we allow all URLs.
    11. 

  11. */
    12. 

  12. const ContentSecurityPolicy = `
    13. 

  13.   default-src 'self' *.qurancdn.com cdn.plaid.com;
    14. 

  14.   script-src 'self' 'unsafe-inline' 'unsafe-eval' https://www.googletagmanager.com https://www.google-analytics.com https://ssl.google-analytics.com https://vitals.vercel-insights.com  https://www.givingloop.org https://code.jquery.com https://www.google.com https://js.stripe.com https://ipinfo.io https://snap.licdn.com https://cdn.mouseflow.com https://www.paypal.com  https://wchat.eu.freshchat.com https://cdn.plaid.com https://cdnjs.cloudflare.com https://cdn.amplitude.com https://cdn.logrocket.io https://www.gstatic.com https://js.stripe.com;
    15. 

  15.   font-src 'self' 'unsafe-inline' 'unsafe-eval' givingloop.org fonts.gstatic.com https://www.givingloop.org;
    16. 

  16.   frame-src 'self' 'unsafe-inline' 'unsafe-eval' https://js.stripe.com/v3 js.stripe.com  https://www.paypal.com www.paypal.com https://wchat.eu.freshchat.com https://www.google.com www.google.com;
    17. 

  17.   style-src 'self' 'unsafe-inline' 'unsafe-eval' *.givingloop.org givingloop.org fonts.googleapis.com fonts.googleapis.com wchat.eu.freshchat.com; 
    18. 

  18.   img-src * data:;
    19. 

  19.   media-src 'self' *.quranicaudio.com *.qurancdn.com https://qurancdn.com;
    20. 

  20.   connect-src *;
    21. 

  21. `;
    22. 

  22. 

  23. const securityHeaders = [
    24. 

  24.   // Protects from XSS attacks. See: https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP
    25. 

  25.   {
    26. 

  26.     key: 'Content-Security-Policy',
    27. 

  27.     value: ContentSecurityPolicy.replace(/\n/g, ''),
    28. 

  28.   },
    29. 

  29.   // Controls how much information the browser includes when navigating away from a document. See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Referrer-Policy
    30. 

  30.   {
    31. 

  31.     key: 'Referrer-Policy',
    32. 

  32.     value: 'origin-when-cross-origin', // Will Send the origin, path, and query string when performing a same-origin request to the same protocol level e.g. https://www.quran.com/search?page=1&language=en&query=Allah; otherwise, will only send base url e.g. https://www.quran.com.
    33. 

  33.   },
    34. 

  34.   // Indicate that Content-Type headers should not be changed and be followed. See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Content-Type-Options
    35. 

  35.   {
    36. 

  36.     key: 'X-Content-Type-Options',
    37. 

  37.     value: 'nosniff', // disallow overriding response Content-Type headers to guess and process the data using an implicit content type.
    38. 

  38.   },
    39. 

  39.   // Controls DNS pre-fetching, allowing browsers to proactively perform domain name resolution on external links, images, CSS etc which reduces latency when the user clicks a link. See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-DNS-Prefetch-Control
    40. 

  40.   {
    41. 

  41.     key: 'X-DNS-Prefetch-Control',
    42. 

  42.     value: 'on',
    43. 

  43.   },
    44. 

  44.   // Controls which features and APIs can be used in the browser. See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Feature-Policy and https://github.com/w3c/webappsec-permissions-policy/blob/main/permissions-policy-explainer.md
    45. 

  45.   {
    46. 

  46.     key: 'Permissions-Policy',
    47. 

  47.     value: 'camera=(), microphone=(self), geolocation=(self), fullscreen=*', // camera is disabled for all, microphone only for the current origin, geolocation only for the current origin and fullscreen for all including iframes.
    48. 

  48.   },
    49. 

  49. ];
    50. 

  50. 

  51. module.exports = securityHeaders;
    52.